Relevant RFC on A records for NS's

Thu Apr 30 12:11:20 UTC 2009

On Apr 30, 2009, at 3:54 AM, Kal Feher wrote:

> Lets check where they are delegated:
> 1st the hostwizard domain
> $ dig ns hostwizard.com +short
> ns1.hostwizard.com.
> ns1.nacio.com.
>
> Now nacio
> $ dig ns nacio.com +short
> ns1.nacio.com.
> ns3.nacio.com.
> ns2.nacio.com.
>
> So what _should_ we see if I query ns1.nacio.com for hostwizard.com?
> Since the domain is delegated there, I would expect an authoritive  
> answer

I would agree, that would be my hope at least, if not, I know  
something is wrong.

> $ dig a ns1.hostwizard.com @ns1.nacio.com
>
> ; <<>> DiG 9.4.2-P2 <<>> a ns1.hostwizard.com @ns1.nacio.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1579
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;ns1.hostwizard.com.            IN      A
>
> ;; ANSWER SECTION:
> ns1.hostwizard.com.     3600    IN      A       64.84.37.14
>
> ;; AUTHORITY SECTION:
> hostwizard.com.         3600    IN      NS      ns1.nacio.com.
> hostwizard.com.         3600    IN      NS      ns1.hostwizard.com.
>
> ;; ADDITIONAL SECTION:
> ns1.nacio.com.          3600    IN      A       64.84.0.18
>
> ;; Query time: 177 msec
> ;; SERVER: 64.84.0.18#53(64.84.0.18)
> ;; WHEN: Thu Apr 30 20:45:00 2009

Right, so looks good to me so far.

> But what if I do the reverse? That is...query ns1.hostwizard.com for
> ns1.nacio.com. We know that nacio.com isnt delegated to it. What  
> should
> ns1.hostwizard.com answer? Normally either an upwards referral to  
> the root
> servers or (if caching is disabled) with refused. I added some *s for
> emphasis.

Here is where I would get a little blurry.  Granted, you gave me the  
answer :)
Had you not, I would have thought asking ns1.hostwizard.com for  
ns1.nacio.com that you get nothing. I do not think I am supposed to be  
answering the question of ns1.nacio.com from ns1.hostwizard.com

I would also wonder why that question ever even made it to my server.   
If it does make its way, I would expect my server to do what it does  
in most of the other cases when it does not know something, which is  
pass the question on to a friend.

> $ dig ns1.nacio.com @ns1.hostwizard.com +norec
>
> ; <<>> DiG 9.4.2-P2 <<>> ns1.nacio.com @ns1.hostwizard.com +norec
> ;; global options:  printcmd
> ;; Got answer:
> ****;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35446
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ns1.nacio.com.                 IN      A
>
> ;; Query time: 250 msec
> ;; SERVER: 64.84.37.14#53(64.84.37.14)
> ;; WHEN: Thu Apr 30 20:49:50 2009
>
> ns1.hostwizard looks like it isn't answering from cache, (which is  
> fine). So
> you shouldn't worry. Sorry for the overly verbose response ;)

Not at all, I truly appreciate the verbosity of your answer.  I  
wonder, how were you able to discern that it did not come from cache?   
Just the fact it was REFUSED implied that?  Or the fact you used  
+norec, forces it in most cases, though not all are required from what  
I am reading?

Thanks again.
-- 
Scott * If you contact me off list replace talklists@ with scott@ *